Data Protection - Staff Handbook
7. First Principle - Fair and Lawful Processing
7.1 Personal data shall be processed fairly and lawfully and shall not be processed unless certain conditions are met.
7.2 This principle covers both the original obtaining of data, for both computer and manual files, and its subsequent processing, whether by central services or by schools.
Obtaining data
7.3 At the point of collection certain information needs to be given to the data subject, comprising:
- the identity of the data controller, ie the University;
- a statement of the purposes for which the data is being collected;
- a statement of the disclosures; (ie who will see the data)
- any other information thought necessary to fair obtaining.
The University will meet this requirement as far as its central staff and student records are concerned by the use of standard wording on appropriate data collection forms.
7.4 Where schools subsequently make use of data which was originally collected by central services, there is no need for them to provide additional information to the data subjects, provided that they are using the data for the stated purpose(s). If schools wish to use the data for new purposes, this must be notified to the relevant data subjects concerned by the school/service. Where schools collect their own data, for example, for research purposes, they must supply the information listed at 7.3. The Data Protection Officer is able to give advice on wording.
Legitimate processing of data
7.5 Under the terms of the Act, personal data may only be collected and processed if at least one of a number of specified conditions are met:
- the data subject has given consent
- the processing is in the legitimate interests of the data controller
- the processing is required to carry out a contract
7.6 The University can rely on the ‘legitimate interests’ condition for the processing of all personal data. In the case of data about members of staff this will be augmented by the existence of the contract of employment. Consequently there is no requirement for additional action to be taken for data to be processed once it has been fairly obtained. This applies to all data, whether collected by central services or by schools and whether held on computer or manually.
Processing of sensitive data
7.7 The conditions for obtaining and processing sensitive personal data are subject to more stringent rules. They do not include the ‘legitimate interests’ condition and the consent condition means ‘explicit’ consent.
7.8 In those cases where sensitive personal data is processed it is necessary to obtain the explicit consent of the data subject before legitimate processing can take place. This is taken to mean a signature signifying consent; the use of an opt-out procedure is not acceptable. Where such data is being processed by central services, appropriate wording has been supplied to the office concerned for use on the appropriate forms at the point of collection. If schools wish to process sensitive personal data for their own purposes, for example in relation to research, they must obtain the explicit consent of the data subjects concerned. The Data Protection Officer can advise on wording.
7.9 An exception to this requirement is where sensitive personal data relating to race, ethnic origin, physical or mental health or religion, and being processed solely for the purposes of equal opportunities monitoring. In such cases, the explicit consent of the data subject is not required, provided that the data held is being processed anonymously.